Kafka: usage of short password

Kafka serves as a block in a log shipping solution, data lake solutions, messaging and queue solutions. As such it is a vital and sensitive part of information security.

Using short passwords for SSL keystore can be a security risk. Short passwords are predictable and can be brute-forced, especially if a hacker has obtained a key store file.

Problem

We located a short password in Kafka's configuration file, which means that:

  1. It is better to use a long password
  2. It should be verified that there are no hardcoded passwords, or that you're generating a configuration dynamically in production with solutions such as confd.

Fix

Remove the hardcoded password (see KAFKA005), and employ a password policy.

See